Hacker News new | ask | show | jobs
by winstonschmidt 3929 days ago
They commented on this on Reddit: https://www.reddit.com/r/fulldisclosure/comments/3anfjk/tuta...

"This is not a vulnerability in Tutanota. We have built Tutanota with multiple layers of protection for our users. We currently use TLS and DANE to protect authentication and data integrity and (only tunneled) RSA-OAEP and AES-CBC to provide confidentiality. We have always communicated this transparently, it is nothing new. Neither the confidentiality nor the integrity of our users' data has been at risk. However, we know that the implementation is not perfect regarding this detail. That is why we are going to implement the following features as soon as possible: - Signatures/MAC - 2-factor authentication - Algorithms resistant to attacks of quantum computers - Simple verification of downloaded Tutanota apps Regarding the described issue, we know of two possible attacks on AES-CBC. Neither of them is feasible against Tutanota users: - Bit flipping: You need access to the plain text email and you have to be the MITM. - -Plaintexts are available at the sender and recipient only. We use secure TLS algorithms and DANE to protect against MITM. - Padding oracle: There is no padding oracle in Tutanota. Tl;dr There is no known vulnerability in Tutanota. Security is the heart of Tutanota, and we will fix vulnerabilities immediately."
4 comments
hannob 3929 days ago
Or in other words: No, they haven't fixed it.

And the answer is a mix of "we don't really understand crypto" and "you should trust us".

link
sarciszewski 3929 days ago
They seem to confuse digital signatures with message authentication.

> Padding oracle: There is no padding oracle in Tutanota.

Interesting claim. They're using PKCS5 which means that, yes, there is a padding oracle vulnerability, but triggering it is orders of magnitude more difficult than null padding.

https://github.com/tutao/tutanota/blob/tutanota-1.9.2+/nativ...

link
MatthiasPfau 3928 days ago
> They seem to confuse digital signatures with message authentication.

Why do you think that? Of course we (I am one of the founders of Tutanota) understand the difference of the two.

> They're using PKCS5 which means that, yes, there is a padding oracle vulnerability

Could you please describe the padding oracle? Knowing the padding algorithm is not enough to make up a padding oracle. The oracle must be able to decrypt the cipher text in order to tell the attacker if the padding is valid or not.

link
sarciszewski 3928 days ago
> Why do you think that? Of course we (I am one of the founders of Tutanota) understand the difference of the two.

Because you put them on the same line item.

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-pass...

> Could you please describe the padding oracle? Knowing the padding algorithm is not enough to make up a padding oracle. The oracle must be able to decrypt the cipher text in order to tell the attacker if the padding is valid or not.

For fuck's sake, Google it. The top two search results explain it perfectly.

http://robertheaton.com/2013/07/29/padding-oracle-attack

https://blog.skullsecurity.org/2013/padding-oracle-attacks-i...

TL;DR if you aren't using authenticated encryption, because you're using CBC mode with a block cipher, an attacker can keep sending forged messages until it decrypts successfully. It's much easier to forge messages on zero byte padding than exploit PKCS(5|7), but attackers can still exploit padding errors to tell if their message decrypted.

link
MatthiasPfau 3928 days ago
Thanks for clarifying.

> an attacker can keep sending forged messages until it decrypts successfully

There is simply no way for an attacker to find out if his forged messages decrypt successfully besides having full control of the recipients machine. The padding oracle is useless in this case.

link
sarciszewski 3928 days ago
"The padding oracle is useless because we don't behave differently if decryption fails" doesn't really inspire confidence.

Why is there so much resistance to implementing authenticated encryption? It would literally take 10 minutes to implement, with constant time MAC verification on the recipient's end. That includes the time to unit test it.

Hell, I could send a pull request right now to do it if your team doesn't have the expertise on board.

Better yet: use Libsodium.

https://paragonie.com/blog/2015/09/how-to-safely-implement-c...

link
MatthiasPfau 3926 days ago
> Why is there so much resistance to implementing authenticated encryption?

We already stated that we are going to implement authenticated encryption. But when we do it we have to do it right. We have to keep everything backwards compatible and we can't enable one client to use the new implementation until all supported clients (JS, .NET (Outlook), Android and iOS) are upgraded. Implementing this kind of backward compatibility will not take only 10 minutes.

Please submit a pull request that keeps everything backwards compatible and works for all platforms. We are happy about everyone who wants to contribute.

link
tptacek 3929 days ago
An end-to-end encrypted messaging company claiming to use DANE to protect end-users. Sheesh.
link
sarciszewski 3929 days ago
Especially when the objection I raised is that the server can perform privileged active attacks on the client software.

I'd say avoid Tutanota.

link
3pt14159 3929 days ago
Also a laughable difficulty algorithm for the password:

https://imgur.com/JX7Vyje

(Mix of random numbers and symbols)

link
tedunangst 3929 days ago
Pretty sure you can do bit flipping without access to the plaintext...
link
sarciszewski 3929 days ago
Yeah. In addition to the Crypto Pals challenges, I actually used this to prove a point (with contrived example):

https://paragonie.com/blog/2015/05/using-encryption-and-auth...

link